Paris, May 25th, 2018 – On May 14th, the National Assembly adopted the draft law on the protection of personal data, quickly followed by the referral to the Constitutional Council by 60 senators.
This text aims to adapt the “Data Protection and Freedom of Information” law to the entry into application of the European Regulation on the protection of personal data (Regulation 2016/679, abbreviated “GRDP”).
A large number of obligations, however, are not affected by this referral and therefore come into effect today.
In order to replace the system introduced by Directive 95/46/EC of 1995, the GRPD aims to establish a unified system for personal data in the European Union.
First, it should be noted that the processing is very broadly defined and covers almost all operations relating to personal data, from collection to destruction.
While it does not overturn the general principals relating to methods of collecting and processing of personal data that we are familiar with (for example, the legal basis for data processing, consent, the limited period of retention of personal data) the Regulation introduces a number of changes for the benefit of natural persons and, as a result, new obligations for all natural persons, legal entities, public authorities, services or any organisation that collects personal data.
The Regulation applies to controllers and subcontractors.
One of the contributions of the Regulation is to define the concepts of controller and subcontractor:
- The controller determines the purposes and means of the treatment
- The subcontractor processes personal data on behalf of the controller.
The obligations of the subcontractor, particularly with regard to the level of data security, respect of confidentiality and their obligation to assist the controller in impact assessments, notifications to the supervisory authorities, communication to data subjects in case of data breaches, are also specified.
In practice, this clarification requires that the obligations of each party in contracts involving the processing of personal data be specified.
It should be noted that the French Data Protection Authority (the CNIL) has recently published a guide for subcontractors.
An extended territory of application
The regulation therefore applies to all natural persons or legal entities, public authorities, services or organizations (in particular companies and government agencies) of the Union that process personal data.
It also applies when data concerning a citizen from the European Union are processed. Companies and organizations outside the European Union will therefore also be subject to obligations of the Regulation if they process data from European citizens.
The Regulation does not change the conditions for the lawfulness of data processing.
The processing of personal data is lawful only if one of the following conditions is met:
– the data subject has consented to the processing for one or more specific purposes,
– the treatment is necessary:
- for the implementation of a contract (or pre-contractual measures) to which the data subject is a party,
- for compliance with a legal obligation
- for safeguarding the vital interests of the data subject or of another natural person,
- for the performance of a mission of public interest or in the exercise of public authority
- for legitimate interests pursued by the controller or by a third party.
- The Regulations specify the terms of consent of individuals to have their data processed.
These details concern the form (explicitness, comprehensible form, requirements of clarity and simplicity, distinction with regard to other questions if this consent is included in another document, etc.) and the substance, consent having to be collected for a determined treatment.
Consent may also be withdrawn at any time, which will imply, for example that when consent is given online, data controllers must provide modalities for the effective withdrawal of that consent and for the computer implementation of data deletion.
It strengthens the protection of citizens and their data
The Regulation confirms certain rights: the right of individuals to access their personal data; the “right to be forgotten” (e.g. right to have data deleted); the right to obtain the rectification of personal data and the right to have data completed if they are incomplete.
It also provides details on the right of information of individuals on how the data will be processed (concise, transparent, comprehensible and easily accessible information in clear and simple terms, especially for information intended for children, and free of charge, except in case of unfounded or excessive requests for information).
A novelty: the Regulation establishes a right to data portability. Once data has been collected with their consent and processing has taken place by an automated process, a person may require the transfer their data to another controller.
One exception, however, is that this right to portability does not apply to data processed for public services or falling under a public authority.
The controller has increased responsibilities
This is one of the most notable changes of the new regime: the obligations of prior declarations (“the CNIL declarations”) have been removed and are replaced by the obligation of the controller to implement technical and organizational measures to ensure and demonstrate treatment conformity to the Regulation in a logic of “compliance”, it being understood that the supervisory authorities (the CNIL in France) will be responsible for verifying compliance with all of these obligations.
- “Privacy by design” and “Privacy by default”
As soon as personal data processing is planned, and at the time of the determination of the treatment processing means, the controller must put appropriate technical and organizational measures into place (e.g. pseudonymization) to ensure effective data protection.
By default, only the personal data necessary for a specific purpose can be processed. This requirement applies to the amount of data, the extent of processing, the retention period, the accessibility of the data.
- Obligation to keep a record of treatment
Keeping a record of processing activities is mandatory for companies or organizations, with the exception of those with less than 250 employees (except for the latter, if the treatment involves risks, and is not occasional, or if it relates to sensitive data or personal data relating to convictions and infractions).
This record will be available for the CNIL in case of control. It contains the following information:
- name and contact details of the controller,
- purposes of treatment,
- description of categories of data subjects and categories of data processed,
- categories of data recipients,
- transfers to third countries,
- and, whenever possible: data deletion times and the description of security measures.
- Conduct impact assessment
The controller must carry out an impact assessment before treatment is performed, if this treatment poses a high risk for the rights and freedoms of individuals, especially when using “new technologies”.
Such an analysis will be compulsory, in particular, in case of:
- systematic and in-depth evaluation of personal aspects by automated processing and if the evaluation had legal effects or significantly affects the person,
- large-scale processing of sensitive data and data on criminal convictions and offenses,
- systematic large-scale monitoring of publicly accessible data.
Schematically, an impact assessment identifies the risks associated with the processing of personal data and the measures taken by the controller to minimize these risks.
The guidelines give various examples of high-risk situations: evaluation (work, health, behavior…) automatic decision-making, sensitive data processing, large data volume, combination of data sets, etc.).
- Appoint a data protection officer
The Regulation establishes the function of data protection officer (DPO), who must be associated with any question relating to the protection of personal data and in particular who must inform and advise the controller or the subcontractor, monitor the application of the Regulation and cooperate with the supervisory authority.
The appointment of an officer will be mandatory:
- for public authorities or public organizations (except for the courts),
- if the basic activities of the controller or subcontractor require regular and systematic large-scale monitoring of individuals or consist of large-scale processing of special categories of sensitive data (racial or ethnic origin, health data, political opinions, union membership, etc.) and/or data relating to criminal convictions and offenses.
In other cases, Member States may make the designation of a DPO mandatory.
It should be noted that the officer is a personal role (it is not a service) and that he will benefit from a special status in the company or organization (confidentiality, protection in the performance of his duties,…)
- Inform the CNIL and the persons concerned in case of personal data breaches
In the case of a breach of security, the Regulation creates an obligation for the controller:
- To notify the supervisory authority (CNIL) as soon as possible and at the latest within 72 hours of the knowledge of this violation,
- To communicate with the persons concerned as soon as possible if the violation creates a high risk for the persons.
The transfer of personal data to third countries is supervised
The transfer of personal data outside the Union can take place only:
- If the Commission decides that the third country offers an adequate level of protection of personal data and that the persons have enforceable rights and effective remedies (e.g. the “Privacy Shield” agreement between the European Union and the USA),
- If the controller or processor had provided appropriate safeguards, including for corporate groups, data protection and transfer agreements (referred to as “binding corporate rules” in the Regulation),
- Under certain conditions: the person has consented to the transfer after being informed of the risks, this transfer being necessary for the execution of a contract or for the exercise of rights in court.
It should be noted that the Regulation gives supervisory authorities investigative powers and the possibility to order corrective measures (e.g. call to order, order, limitation of treatment, suspension of data flows, etc..).
The supervisory authorities then have the power to impose administrative fines (according to the provisions of the Regulation that have been violated):
- up to 10M€ or (for companies) 2% of the annual global turnover,
- up to 20M€ or (for companies) 4% of the annual global turnover.
In addition, the person who has suffered damage may be the compensated for their loss. Class actions (collective actions of persons who have suffered the same damage) may also be brought in accordance with national law.
In practical terms, this new regime makes it necessary to review the approach of companies (and any other person) with regard to personal data, and to review the practices of collection and processing of personal data and processes that may relate to personal data.
This exercise must involve all concerned components of the company in question including, in particular, the legal department, IT, human resources, commercial services or customer relations, and mobilizes both legal and technical skills.